Summary:
A North Korean APT group, Kimsuky, was discovered using a malicious Google Chrome extension codenamed TRANSLATEXT to target South Korean academia focused on North Korean affairs in March 2024. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities. TRANSLATEXT steals email addresses, usernames, passwords, cookies, and browser screenshots by masquerading as the legitimate translation tool, Google translate. The extension leverages JavaScript to bypass security measures for prominent services like Gmail, Kakao, and Naver. It can also capture screenshots and delete cookies upon receiving commands.

The initial attack vector is yet to be identified, but Kimsuky is known to employ spear-phishing and social engineering tactics. Security researchers believe the starting point of the attack is a ZIP archive containing a decoy document and a malicious executable might be part of the initial distribution method. Launching the executable triggers a series of actions, including downloading additional malicious PowerShell scripts from and uploading stolen data to attacker-controlled servers. Zscaler researchers said they found the GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," although its delivery method is presently unknown. The group has also weaponized a Microsoft Office security flaw in recent weeks aims to drop another espionage tool and establish persistence via a previously undocumented backdoor.

Security Officer Comments:
This incident highlights the evolving tactics of North Korean cyber actors. Kimsuky's use of a malicious Chrome extension demonstrates their focus on exploiting trust in popular software to gain access to sensitive information. The focus on South Korean academia suggests an interest in gathering intelligence on North Korean political affairs. Educational institutions, particularly those in South Korea with research interests in North Korea, should be aware of this ongoing campaign. In recent weeks, the group has weaponized a known security flaw in Microsoft Office (CVE-2017-11882) to distribute a keylogger and has used job-themed lures in attacks aimed at aerospace and defense sectors to drop an espionage tool with data gathering and secondary payload execution functionalities in a different campaign. It is crucial to stay informed about the latest cyber threats and exercise caution when installing extensions from untrusted sources. Organizations can mitigate these risks by implementing security awareness training programs and enforcing stricter protocols for software installation.

Suggested Corrections:
IOCs for this campaign are published here.

• Educate users on social engineering tactics: Train employees, especially those in targeted sectors like academia, to recognize suspicious emails and attachments. Techniques like sender verification, checking for grammatical errors, and avoiding unexpected attachments can help reduce the success rate of spear-phishing attempts.
• Highlight dangers of unverified extensions: Inform users about the risks of installing browser extensions from untrusted sources. Encourage users to only install extensions from official app stores or developer websites.
• Implement strong email filtering: Utilize email filtering solutions that can detect and block malicious emails containing phishing attempts or suspicious attachments.
• Enforce application whitelisting: Implement application whitelisting to restrict users from installing unauthorized software, including browser extensions. Only allow pre-approved extensions with legitimate purposes.
• Patch systems promptly: Ensure all systems are patched with the latest security updates to address vulnerabilities that Kimsuky might exploit for initial access. This includes patching the Microsoft Office vulnerability (CVE-2017-11882) mentioned in different but recent report on Kimsuky activity.
• Monitor network activity: Implement network monitoring solutions to identify suspicious activity such as communication with unknown servers or data exfiltration attempts.
• Threat intelligence sharing: Stay informed about the latest Kimsuky tactics, techniques, and procedures (TTPs) by subscribing to threat intelligence feeds or collaborating with cybersecurity communities.

Link(s):
https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html